Setting an encryption key
Some connectors require an encryption key before you create or edit a connection. Encryption keys are only necessary if you are using the connector on Qlik Sense Enterprise on Windows or Qlik Sense Desktop.
This security requirement came into effect in February 2022 for Qlik Web Connectors. Old connections made before then will still work, but you will not be able to edit them. If you try to create or edit a connection that needs a key, you will receive an error message: Error retrieving the URL to authenticate: ENCRYPTION_KEY_MISSING) - you must manually set an encryption key before creating new connections.
If you need to move .qvf files between Qlik Sense Desktop instances, you must set them up with the same key.
Connectors that require an encryption key
Qlik Web Storage Provider Connectors
Built-in Qlik Web Connectors
ODBC Connector Package
Generating an encryption key
You should generate encryption keys based on your organization's best practices. Encryption keys should be backed up in case you need to re-install Qlik Sense or add a node to your cluster.
The following table details the special requirements for encryption keys for specific types of connectors:
| Connector | Special requirements |
|---|---|
| ODBC | The key must use a 32-byte array and it must be converted to a Base64 string. |
| Web storage and built-in web connectors | The key must be a secure, random string of characters between 32 and 4096 bytes in size when encoded in UTF-8 format. |
Setting an encryption key on Qlik Sense Desktop
This command must be run as the same user that is running the Qlik Sense Engine Service (Engine.exe). For Qlik Sense Desktop, this should be the currently logged in user.
Setting an encryption key for Qlik Web Connectors
Do the following:
-
Open a command prompt and navigate to the directory containing the connector .exe file. For example:
cd C:\Users\USERNAME\AppData\Local\Programs\Common Files\Qlik\Custom Data\QvWebStorageProviderConnectorPackage
-
Run the following command:
QvWebStorageProviderConnectorPackage.exe /key {key}
Where {key} is the key you generated. For example, if you used the openssl command, your key might look like: QvWebStorageProviderConnectorPackage.exe /key zmn72XnySfDjqUMXa9ScHaeJcaKRZYF9w3P6yYRr
-
You will receive a confirmation message:
Info: Set key. New key id=qseow_prm_custom.
Info: key set successfully!
Setting an encryption key for ODBC Connector Package
Do the following:
-
Open a command prompt and navigate to the directory containing the connector .exe file. For example:
cd C:\Users\USERNAME\AppData\Local\Programs\Common Files\Qlik\Custom Data\QvOdbcConnectorPackage
-
Run the following command:
QvOdbcConnectorPackage.exe /key {key}
Where {key} is the key you generated. For example, if you used the openssl command, your key might look like: QvOdbcConnectorPackage.exe /key KKHZwWjdt+ADhsbFWEGboM25Ogks8XFLm2MCXehthmg=
-
Confirm that the new key is applied by checking that this key file exists:
C:\Users\{username}\AppData\Roaming\Qlik\Keys\qseow_master_key
Setting an encryption key on Qlik Sense Enterprise on Windows
The {sense service user} must be the name of the Windows account which is running your Qlik Sense Engine Service. You can see this in the Windows Services manager. In this example, the user is: MYCOMPANY\senseserver.
Setting an encryption key for Qlik Web Connectors
Do the following:
-
Open a command prompt and run:
runas /user:{sense service user} cmd. For example:runas /user:MYCOMPANY\senseserver
-
Run the following two commands to switch to the directory containing the connectors and then set the key:
-
cd C:\Program Files\Common Files\Qlik\Custom Data\QvWebStorageProviderConnectorPackage
-
QvWebStorageProviderConnectorPackage.exe /key {key}
Where {key} is the key you generated. For example, if you used the openssl command, your key might look like: QvWebStorageProviderConnectorPackage.exe /key zmn72XnySfDjqUMXa9ScHaeJcaKRZYF9w3P6yYRr
-
-
You should repeat this step, using the same key, on each node in the multinode environment where the Qlik Engine and the connectors are installed.
Encryption keys will be stored in: C:\Users\{sense service user}\AppData\Roaming\Qlik\QwcKeys\
In this example, encryption keys will be stored in: C:\Users\senseserver\AppData\Roaming\Qlik\QwcKeys\
Setting an encryption key for ODBC Connector Package
Do the following:
-
Open a command prompt and run:
runas /user:{sense service user} cmd. For example:runas /user:MYCOMPANY\senseserver
-
Run the following two commands to switch to the directory containing the connectors and then set the key:
-
cd C:\Program Files\Common Files\Qlik\Custom Data\QvOdbcConnectorPackage
-
QvOdbcConnectorPackage.exe /key {key}
Where {key} is the key you generated. For example, if you used the openssl command, your key might look like: QvOdbcConnectorPackage.exe /key KKHZwWjdt+ADhsbFWEGboM25Ogks8XFLm2MCXehthmg=
-
-
You should repeat this step, using the same key, on each node in the multinode environment where the Qlik Engine and the connectors are installed.
Encryption keys will be stored in: C:\Users\{sense service user}\AppData\Roaming\Qlik\Keys\
In this example, encryption keys will be stored in: C:\Users\MYCOMPANY\senseserver\AppData\Roaming\Qlik\Keys\
-
Remove this generated key on all nodes to avoid conflicts with the new key:
C:\Users\{sense service user}\AppData\Roaming\Qlik\Keys\qseow_file_cache_key
Troubleshooting
Error message in Qlik Web Connectors: badFileSize mac check in GCM failed
Possible cause
If you see this message when you reload your data or try to open a connection, the key currently set is not the one used when the connection was created.
Proposed action
You must find the original key. If you want to use a new key, you must manually change all keys using the procedure above.